{ "id": "60ef9e13-400c-46ba-87d8-671748047c85", "created_at": "2026-04-06T00:15:49.306245Z", "updated_at": "2026-04-10T13:12:18.167653Z", "deleted_at": null, "sha1_hash": "e173563d4c7aa0e01d186d34fa07739d6bba9591", "title": "Dino – the latest spying malware from an allegedly French espionage group analyzed", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 666672, "plain_text": "Dino – the latest spying malware from an allegedly French\r\nespionage group analyzed\r\nBy Joan Calvet\r\nArchived: 2026-04-05 15:27:44 UTC\r\nIn this blog we describe a sophisticated backdoor, called Dino by its creators. We believe this malicious software\r\nhas been developed by the Animal Farm espionage group, who also created the infamous Casper, Bunny and\r\nBabar malware. Dino contains interesting technical features, and also a few hints that the developers are French\r\nspeaking.\r\nAnimal Farm is the security industry’s name for a group of attackers first described by Canada’s Communications\r\nSecurity Establishment (CSE) in a set of slides leaked by Edward Snowden in March 2014. In those slides CSE\r\nassess with “moderate certainty” that this group is a French intelligence agency. Since then, several examples of\r\nmalware created by Animal Farm have been found and publicly documented, in particular:\r\nCasper, a stealthy first-stage implant, documented by ESET in last March\r\nBunny, a Lua-based backdoor, documented by Marion Marschalek (Cyphort)\r\nBabar, an espionage platform, also analyzed by Marion Marschalek\r\nThe connection between those pieces of malware and the group described in CSE slides has been convincingly\r\nestablished, for example by Paul Rascagnères (G Data).\r\nIn this blog post we add a new piece to the puzzle with Dino, another malicious program belonging to Animal\r\nFarm’s arsenal.\r\nIntroduction\r\nThe sample of Dino documented in this blog post was used in 2013 against targets in Iran. The original means of\r\ninfection is unknown, though we believe Dino was installed by another program, as it contains an uninstallation\r\ncommand without the corresponding installation procedure. Given the set of commands it can receive, Dino’s\r\nmain goal seems to be the exfiltration of files from its targets.\r\nThe binary’s original name, “Dino.exe”, has been left visible by its authors, as was the case with Casper. Dino –\r\nwhich could be referring to the pet character from The Flintstones cartoon show – was already mentioned in a\r\nrecent Kaspersky blog as a “full-featured espionage platform,” but no technical analysis has been published yet.\r\nRoughly, Dino can be described as an elaborate backdoor built in a modular fashion. Among its technical\r\ninnovations, there is a custom file system to execute commands in a stealthy fashion, and a complex task-scheduling module working in a similar way to the “cron” Unix command. Interestingly, the binary contains a lot\r\nof verbose error messages, allowing us to see Dino’s developers’ choice of wording. Also, a few technical artefacts\r\nsuggest that Dino was authored by native French speakers.\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 1 of 14\n\nDino Basics\r\nModules List\r\nDino has been developed in C++ and presents a well-defined modular architecture. The following array lists the\r\nmodules contained in this Dino binary; the module names are those assigned by the developers.\r\nModule Name Module Purpose\r\nPSM Encrypted on-disk copy for Dino modules\r\nCORE Configuration storage\r\nCRONTAB Task scheduler\r\nFMGR File upload and download manager\r\nCMDEXEC Command execution manager\r\nCMDEXECQ Storage queue for commands to execute\r\nENVVAR Storage for environment variables\r\nData Structure\r\nDino heavily relies on a custom data structure named “DataStore” by the Animal Farm developers. In particular,\r\nall Dino’s modules store their content inside this structure, making its understanding one of the keys to analyzing\r\nDino.\r\nA DataStore is a map from string keys to values of 8 possible types, such as integers or strings. The\r\nimplementation of this data structure is based on a hash table. It means that to retrieve the value associated with a\r\nkey, one has to calculate the hash of the key to locate a bucket from which the value can be retrieved.\r\nDino’s hash is a one-byte value calculated with a series of XOR operations on the key, and each bucket starts a\r\nlinked list containing key/value pairs. The code responsible for retrieving the value associated with a key is shown\r\nin Figure 1.\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 2 of 14\n\nFigure 1\r\nFinally, DataStore objects can be serialized in a custom format, which begins with the magic word “DxSx”. This\r\nis used in particular by the PSM module to save the content of Dino modules in an encrypted file. More precisely,\r\nwhen a modification is made to a module’s content in memory, the PSM module saves it as a serialized DataStore.\r\nWhen Dino restarts, the module is deserialized from the file and loaded into memory. Funnily enough, the key\r\nserving to encrypt the file on disk is “PsmIsANiceM0du1eWith0SugarInside”.\r\nConfiguration\r\nDino’s configuration is initially stored in a serialized DataStore object contained in a zip archive at the end of the\r\nDino binary. At runtime this object is deserialized and stored inside the CORE module. We can list the\r\nconfiguration’s content with Dino’s “conf –l CORE” command – described later – which displays on separate\r\nrows each key’s name, its associated value and the type of this value:\r\nStarted:5523F782 QWORD\r\nInitialWaitDone:00000001 DWORD\r\nInteractiveDelay:00000005 DWORD\r\nMaxNothingSaidCount:00000078 DWORD\r\nInstallDate: 5523F782 QWORD\r\nfields:78537844…[REDACTED]…66B3900 BYTES\r\nrecID:11173-01-PRS WIDESTR\r\nVersion:1.2 WIDESTR\r\nBD_Keys: 4D41474943424F58…[REDACTED]…9EB3506 BYTES\r\nCC_Keys: 4D41474943424F58…[REDACTED]…0000000 BYTES\r\nMaxDelay:00000E10 DWORD\r\nComServer0:hXXp://www.azhar.bf/…[REDACTED]…/postal.php STR\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 3 of 14\n\nComServer1:hXXp://www.rsvniima.org/…[REDACTED]…/din12/postal.php STR\r\nComServer2:hXXp://www.azhar.bf/…[REDACTED]…/postal.php STR\r\nComServer3:hXXp://www.rsvniima.org/…[REDACTED]…/din12/postal.php STR\r\nComServer4:hXXp://dneprorudnoe.info//…[REDACTED]…/postal.php STR\r\nComServer5:hXXp://dneprorudnoe.info//…[REDACTED]…/postal.php STR\r\nComServer6:hXXp://dneprorudnoe.info//…[REDACTED]…/postal.php STR\r\nNextSendReceive:5CC33097FB72D001 BYTES\r\nCC:000064F7-72E4-3F7D-C817-474D-A9BDBDF7 STR\r\nDaysOfLife:00000000 DWORD\r\nGUID:12FEB4A9EEDEE411B283000C29FD2872 BYTES\r\nInitialDelay:00000000 DWORD\r\nnow:5523F78E QWORD\r\nhash:A88E8181CA5CE35AE70C76145DFB820D BYTES\r\nInitialCommands:78537844…[REDACTED]…000000 BYTES\r\nxT0rvwz:DC188352A…[REDACTED]…00000 BYTES\r\ntr4qa589:K/[RAFtIP?ciD?:D STR\r\njopcft4T:a.ini WIDESTR\r\nWhile most of the keys have self-explanatory names, we would like to focus on the following keys:\r\n“recID”: Animal Farms binaries contain an ID whose decimal value appears to identify the target, “11173-\r\n01-PRS” in this case. For example Casper used an “ID” value set to “13001”, whereas some Babar samples\r\nused “12075-01” and “11162-01”. We do not know the meaning of the “PRS” suffix added in the case of\r\nDino.\r\n“ComServer”: These keys contain the command and control (C\u0026C) servers’ URLs. All the URLs were\r\ndown when we started our analysis. Those C\u0026Cs were compromised legitimate websites, which is standard\r\noperating procedure for Animal Farm.\r\n“Version”: Dino’s code version; here set to “1.2”, which is confirmed by the “din12” folder used in one of\r\nthe C\u0026C URLs. For the record, a “d13” folder has been seen on another Animal Farm C\u0026C (see “3.7\r\nCalling home” of Marschalek’s Babar report), indicating that Dino version 1.3 has also likely been\r\ndeployed at some point.\r\n“BD_Keys” and “CC_Keys” contain cryptographic keys to encrypt the network communications with\r\nC\u0026C servers. Their values start with the word “MAGICBOX”.\r\nThe three last keys are displayed with obfuscated names (“xT0rvwz”, “tr4qa589” and “jopcft4T”) and store\r\nparameters for the custom file system we will describe later.\r\nCommands\r\nThe following Table lists the commands accepted by this Dino binary with the names chosen by the developers.\r\nEach of those commands can take one or more arguments.\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 4 of 14\n\nCommand Purpose\r\nsysinfo Retrieve reconnaissance information from the machine\r\nkillBD Uninstall Dino using the custom file system (see ramFS description below for details)\r\n! Execute Windows batch command passed as a parameter\r\ncd Change the current work directory\r\npwd Retrieve the current work directory path\r\ndir List files in a given directory with various additional information\r\nset Set or remove environment variables stored in the ENVVAR module\r\nconf Display or update module content\r\nsearch\r\nSearch for files whose names match given patterns. The files found are packed in an archive,\r\nwhich is then scheduled for upload to the C\u0026C using the FMGR module.\r\narchive Create an archive from given file paths\r\nunarchive Unpack an archive to a given location\r\ndownload Schedule a file transfer to the C\u0026C using the FMGR module\r\ncancel Remove the next file transfer scheduled in the FMGR module\r\ncancelall Remove all scheduled file transfers in the FMGR module\r\ncronadd\r\nSchedule a command to be executed at a certain time by the CRONTAB module (see\r\nCRONTAB description below for details)\r\ncronlist List registered entries in the CRONTAB module\r\ncrondel Remove an entry in the CRONTAB module\r\nwakeup\r\nSchedule a wake-up of the malware after a certain amount of time using the CRONTAB\r\nmodule\r\nrestart N/A: the command is actually not implemented\r\nshowip Display the public IP of the infected machine\r\ncominfos Display information about the currently used C\u0026C server\r\ncomallinfos Display information about all known C\u0026C servers\r\nwget Download a file from the currently used C\u0026C server onto the machine\r\ndelayttk Delay the de-installation of the malware, if scheduled\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 5 of 14\n\nOne command of particular interest is “search”, which allows the operators to look for files very precisely. For\r\nexample, it can provide all files with a “.doc” extension, the size of which is bigger than 10 kilobytes, and that\r\nwere modified in the last 3 days. We believe this exfiltration of files to be Dino’s end goal.\r\nAt startup Dino executes successively the commands stored in the “InitialCommands” field in its configuration; in\r\nthe sample we analyzed they are:\r\nsysinfo\r\ncominfos\r\n!ipconfig /all\r\n!ipconfig /displaydns\r\n!tracert www.google.com\r\nThose commands serve as a reconnaissance step for the operators. Their execution is managed by the CMDEXEC\r\nmodule, the commands being stored in a queue inside the CMDEXECQ module. The result is reported to the C\u0026C\r\nserver.\r\nAfter having described Dino’s basics, we are now going to dig into two particularly interesting components; first,\r\na custom file system used by the malware, and then the CRONTAB module in charge of task scheduling.\r\nRamFS: A Temporary File System\r\nDino contains a custom file system named “ramFS” by its developers. It provides a complex data structure to store\r\nfiles in memory, each of them bearing a name corresponding to filenames used by usual file systems. RamFS also\r\ncomes with a set of custom commands that can be stored in files and executed. It should be noticed that ramFS is\r\nalso present in other Animal Farm binaries (see attribution paragraph below), but since we are unaware of\r\nprevious analysis of ramFS, we are describing our findings here.\r\nArchitecture\r\nRamFS content is initially stored encrypted in Dino’s configuration under the key “xT0rvwz”, whereas the\r\ncorresponding RC4 key is stored under the key “tr4qa589”. Once the file system has been decrypted, it is stored in\r\nmemory as a linked list of 512-byte memory chunks, each one of them being individually RC4-encrypted. When\r\nlooking for a file in ramFS, each chunk is decrypted, processed and then re-encrypted. Hence there are very few\r\nnoticeable traces of ramFS during its use.\r\nHere are some high-level characteristics of this file system:\r\nFile names and file content are encoded in Unicode\r\nFile names length is limited to 260 characters\r\nOnce decrypted, file content is manipulated as chunks of 540 bytes\r\nThere is no metadata associated with the files\r\nWe could not find an existing file system matching the memory structures and the characteristics of ramFS, and\r\ntherefore we believe this file system to be an original creation of the Animal Farm group.\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 6 of 14\n\nCommands\r\nSeveral commands can be executed in the context of ramFS, as listed in the following Table.\r\nCommand Meaning\r\nCD Change the current work directory on the real file system\r\nMD N/A: the command is actually not implemented\r\nINSTALL Installation or de-installation of Dino, in Windows registry and/or as a service\r\nEXTRACT Extracts a file stored in ramFS onto the machine\r\nDELETE Deletes a file stored on the machine\r\nEXEC Executes a file stored in ramFS\r\nINJECT Injects a file stored in ramFS into a running process\r\nSLEEP Sleeps for a given amount of time\r\nKILL Terminates a running process\r\nAUTODEL N/A: the command is actually not implemented\r\nUsage of ramFS in Dino\r\nIn the case of Dino, ramFS serves as protected storage for one specific file containing the instructions to remove\r\nthe malware from the machine. The developers named this file the “cleaner” and it is executed when Dino\r\nreceives the command “killBD” (the “BD” acronym is the developers’ designation of the malware).\r\nFigure 2 shows the code responsible for executing this cleaner file. First, it retrieves the name of the file from\r\nDino’s configuration (“a.ini”), then it retrieves the key to decrypt ramFS, and it finally mounts the file system in\r\nmemory in order to execute the cleaner file stored inside. The verbosity of the error messages makes it particularly\r\neasy to understand the purpose of the code.\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 7 of 14\n\nFigure 2\r\nThe cleaner file contains the string “INSTALL -A \"wusvcd\" -U” which, once executed, will uninstall the malware\r\nfrom the machine – “wusvcd” being the name used to register Dino on the machine.\r\nHence, ramFS serves as a protected container for files to be executed on the machine, offering a disposable\r\nexecution environment to the operators and leaving very few traces on the system.\r\nTasks scheduling in a Unix fashion\r\nThe commands “cronadd”, “cronlist” and “crondel” serve respectively to add, list, and remove scheduled tasks\r\nregistered in the CRONTAB module. Those tasks are Dino’s commands.\r\nThe syntax to define scheduled tasks is similar to the one used by the cron Unix command. In particular the time\r\nat which to run a command is given by a string following the format “minute hour day month year dayofweek”.\r\nAlternatively, this string can be replaced by “@boot” for a command to run at each startup – whereas some Unix\r\ncron implementations accept “@reboot”.\r\nAs an example, here is the output of the “cronlist” command after a “wakeup” command has been scheduled to\r\nrun on 7th April 2015 at 15:44:\r\nAs we can see, each entry is identified by an “Id”, an incrementing hexadecimal number starting at 0xC0. The\r\npurpose of the “Local” field remains unclear (the other possible value being “-l”). The “Count” parameter counts\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 8 of 14\n\nthe number of times a command has been executed, “-1” indicating the command will be executed only once.\r\nFinally, the “Visibility” field defines whether the command execution will be reported to the C\u0026C (the other\r\npossible value being “Silent”).\r\nAttribution\r\nDino Belongs To The Farm\r\nThe amount of shared code between Dino and known Animal Farm malware leaves very little doubt that Dino\r\nbelongs to Animal Farm’s arsenal. Among these shared features, we can cite the following:\r\nAt the very beginning of Dino execution, the current process name is checked against process names used\r\nby some sandboxes:\r\nFigure 3\r\nA very similar check (against “klavme”, “myapp”, “TESTAPP” and “afyjevmv.exe”) is present in Bunny samples,\r\nand in some first-stage implants deployed by Animal Farm.\r\nTo hide its calls to certain API functions, Dino employs a classic Animal Farm ploy: a hash is calculated\r\nfrom the function's name and used to look for the address of the API function. The actual hashing algorithm\r\nused in Dino is the same that was used in Casper, namely a combination of rotate-left (ROL) of 7 bits and\r\nexclusive-or (XOR) operations.\r\nThe Dino’s custom file system – the so-called ramFS – is present in several droppers used by Animal Farm.\r\nIn those binaries the file system serves to set the persistence of the payload. For example, here is the\r\ncommand executed by some NBOT droppers in the context of ramFS:\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 9 of 14\n\nAs a final indication that Dino belongs to Animal Farm menagerie, it is noticeable that the output of Dino’s\r\nsysinfo command looks like an updated version of the “beacon” from the SNOWBALL implant described\r\nin the leaked CSE slides – part of operation SNOWGLOBE, which led to the discovery of Babar:\r\nDino’s sysinfo example output\r\nLogin/Domain (owner): Administrator/JOHN (john)\r\nComputer name: JOHN\r\nOrganization (country):  (United States)\r\nRecId: 11173-01-PRS\r\nMaxDelay: 3600\r\nVersion: 1.2\r\nOS version (SP): 5.1 (Service Pack 3)\r\nWOW64: No\r\nDefault browser: firefox.exe\r\nIE version: Mozilla/4.0 (compatible; MSIE 7.0; Win32)\r\nFirst launch: 04/01/2015 - 18:31:14\r\nTime to kill: N/A\r\nLast launch : 04/01/2015 - 19:21:44\r\nMode: N/A  |  Rights: Admin  |  UAC: No\r\nID: 4635BEF0-D89D-11E4-B283-000C-29FD2872\r\nInstallAv: 0\r\nInj: Yes\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 10 of 14\n\nAll these indicators together make us very confident that Dino was developed by the Animal Farm group.\r\nFrench speaking Developers\r\nDino adds at least two more indicators to those already documented suggesting that Animal Farm developers are\r\nFrench speaking:\r\nDino’s binary contains a resource whose language code value is 1036. The original purpose of this\r\nlanguage code is to allow developers to provide resources (menus, icons, version information…) for\r\ndifferent locations in the world in the corresponding language. Interestingly, when a developer does not\r\nmanually specify the language code, the compiler sets it to the language of the developer’s machine. So,\r\nwhich language corresponds to the value 1036, or 0x40c in hexadecimal? French (France).\r\nOf course a non-French speaking developer could have deliberately set this value to mislead attribution efforts.\r\nBut in more recent Animal Farm binaries (for example Casper), this language code has been set to the classical\r\nEnglish (USA) language code. Therefore, it seems that Animal Farm developers forgot to set this value in their\r\nfirst creations, realized their mistake at some point, and decided to set a standard value. Someone using the\r\nlanguage code as a false flag would have likely kept the strategy going.\r\nFor the record, this Dino sample is not the only Animal Farm binary with 1036 as language code.\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 11 of 14\n\nDino’s binary is statically linked with the GnuMP library, which is used to manipulate big numbers in\r\ncryptography algorithms. The GnuMP code in Dino contains file paths coming from the developer’s\r\nmachine:\r\n..\\..\\src\\arithmetique\\mpn\\mul.c\r\n..\\..\\src\\arithmetique\\printf\\doprnt.c\r\n..\\..\\src\\arithmetique\\mpn\\tdiv_qr.c\r\n..\\..\\src\\arithmetique\\mpn\\mul_fft.c\r\n..\\..\\src\\arithmetique\\mpn\\get_str.c\r\nAs the attentive reader has probably guessed, “arithmetique” is the French translation of “arithmetic”.\r\nConclusion\r\nDino’s binary shows an intense development effort, from custom data structures to a homemade file system. As\r\nwith other Animal Farm binaries, it bears the mark of professional and experienced developers.\r\nBut Dino also shows a poor knowledge, or interest, from these developers in anti-analysis techniques – contrary to\r\nwhat was seen in Casper – as demonstrated, for example, by the verbosity of some Dino’s log messages:\r\nAll those messages provide substantial help in understanding Dino’s internal workings. One will also appreciate\r\nthe numerous misspellings contained in the messages.\r\nRegarding Dino’s victims, we know very little except that they were located in Iran in 2013. This is in accordance\r\nwith the victimology described by Canada’s CSE in its presentation:\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 12 of 14\n\nThat leads us to the final point of this blog: several signs suggest that Dino’s creators are French speaking\r\ndevelopers. These signs add to the pretty long list of indicators already supporting this hypothesis, in particular the\r\nones mentioned by Canada’s CSE.\r\nIndicators of Compromise\r\nIndicator Value\r\nSample SHA1 BF551FBDCF5A982705C01094436883A6AD3B75BD\r\nC\u0026C URL hXXp://www.azhar.bf/modules/mod_search/found/cache/postal.php\r\nC\u0026C URL hXXp://www.rsvniima.org/templates/rsv/icons/din12/postal.php\r\nC\u0026C URL hXXp://dneprorudnoe.info/sxd/lang/i18n/charcodes/postal.php\r\nPath C:\\Program Files\\Common Files\\wusvcd\\wusvcd.exe\r\nDefault storage file\r\nnames\r\nC:\\Program Files\\Common Files\\wusvcd\\wusvcd00000000-0000-0000-0000-0000-\r\n00000000.{dax,dat,lck}\r\nDownloaded file\r\nname extension\r\n.tmp_dwn\r\nRegistry key Software\\Microsoft\\Windows\\Windows\\CurrentVersion\\Run\\wusvcd\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 13 of 14\n\nSource: https://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nhttps://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/\r\nPage 14 of 14\n\ncron implementations As an example, accept here is the “@reboot”. output of the “cronlist” command after a “wakeup” command has been scheduled to\nrun on 7th April 2015 at 15:44: \nAs we can see, each entry is identified by an “Id”, an incrementing hexadecimal number starting at 0xC0. The\npurpose of the “Local” field remains unclear (the other possible value being “-l”). The “Count” parameter counts\n Page 8 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/" ], "report_names": [ "dino-spying-malware-analyzed" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "e09a7338-fb16-4e39-b579-c3bfc3140c47", "created_at": "2022-10-25T16:07:24.207294Z", "updated_at": "2026-04-10T02:00:04.899166Z", "deleted_at": null, "main_name": "Snowglobe", "aliases": [ "ATK 8", "Animal Farm", "SIG20", "Snowglobe" ], "source_name": "ETDA:Snowglobe", "tools": [ "Babar", "Casper", "Chocopop", "Dino", "EvilBunny", "Nbot", "TFC", "Tafacalou" ], "source_id": "ETDA", "reports": null }, { "id": "548a4081-aa8f-4e2a-bcb3-0c9dfa61944f", "created_at": "2023-01-06T13:46:38.443779Z", "updated_at": "2026-04-10T02:00:02.977564Z", "deleted_at": null, "main_name": "SNOWGLOBE", "aliases": [ "Animal Farm", "Snowglobe", "ATK8" ], "source_name": "MISPGALAXY:SNOWGLOBE", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434549, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e173563d4c7aa0e01d186d34fa07739d6bba9591.pdf", "text": "https://archive.orkl.eu/e173563d4c7aa0e01d186d34fa07739d6bba9591.txt", "img": "https://archive.orkl.eu/e173563d4c7aa0e01d186d34fa07739d6bba9591.jpg" } }